b'FDIC\xe2\x80\x99s IT Security Risk Management Program \xe2\x80\x93 Overall Program Policies and\nProcedures and the Risk Assessment Process\n\n(Report No. 04-028, July 30, 2004)\n\nSummary\n\nThis report presents the results of an audit by International Business Machines (IBM) Business\nConsulting Services (hereafter referred to as IBM), an independent professional services firm\nengaged by the Office of Inspector General (OIG) to support its efforts to satisfy reporting\nrequirements related to the Federal Information Security Management Act of 2002.\n\nThe objective of this audit was to determine whether the FDIC has an adequate information\ntechnology (IT) security risk management program. The scope of the audit focused on the\nadequacy of the FDIC\xe2\x80\x99s policies and procedures for the Information Technology Security Risk\nManagement Program and the risk assessment process. IBM concluded that the FDIC had made\nprogress since August 2003 in implementing the program. However, policies and procedures for\nthe overall risk management program and the risk assessment process could be strengthened.\n\nRecommendations\n\nIBM made three recommendations to the Director, Division of Information Resources\nManagement (DIRM), to improve the policies and procedures for managing IT risk.\n\nManagement Response\n\nDIRM has agreed to take corrective actions for two recommendations, which are resolved but\nwill remain undispositioned and open for reporting purposes until we have determined that\nagreed-to corrective actions have been completed and are effective. DIRM did not concur with a\npart of the third recommendation. Overall, this recommendation is not resolved.\n\nThis report addresses issues associated with information security. Accordingly, we have not\nmade, nor do we intend to make, public release of the specific contents of the report.\n\x0c'